Research

Information Technology

Establishing Enterprise- and Facility-Specific Access Provisioning

With concerns about data security growing throughout the industry, many organizations have investigated strategies for reducing unauthorized and inappropriate access to protected health information in order to reduce the possibility of breaches or other costly violations. Effective access provisioning practices provide control over employee roles and data access, but questions remain regarding its role in governance structures as well as the best approach to centralizing or decentralizing processes.

Given this challenge in the industry, The Academy recently spoke with leadership from three health systems, including two with several providers in multiple states, to discuss their approaches to user provisioning—and to identify best practices that could be applied at other institutions across the industry looking to improve efficiency while ensuring security as well. All three of these organizations maintain centralized access management strategies to some extent, but note that some level of procedural decentralization may always be necessary. For each, this comes in the form of facility-based audit processes, decentralized decision support for validation purposes, and specialized review processes for roles requiring elevated access.